It's Time to Make Student Privacy a Priority
Last month, the Federal Trade Commission and the U.S. Department of Education held a workshop in Washington, DC. The topic was “Student Privacy and Ed Tech.” We at EFF have been trying to get the FTC to focus on the privacy risks of educational technology (or “ed tech”) for over two years, so we eagerly filed formal comments.
We’ve long been concerned about how technology impacts student privacy. As schools and classrooms become increasingly wired, and as schools put more digital devices and services in the hands of students, we’ve been contacted by a large number of concerned students, parents, teachers, and even administrators.
They want to know: What data are ed tech providers collecting about our kids? How are they using it? How well do they disclose (if at all) the scope of their data collection? How much control (if any) do they give to schools and parents over the retention and use of the data they collect? Do they even attempt to obtain parental consent before collecting and using incredibly sensitive student data?
In the spring of 2017, we released the results of a survey that we conducted in order to plumb the depths of the confusion surrounding ed tech. And as it turns out, students, parents, teachers, and even administrators have lots of concerns—and very little clarity—over how ed tech providers protect student privacy.
Drawing from the results of our survey, our comments to the FTC and DOE touched on a broad set of concerns:
- The FTC has ignored our student privacy complaint against Google. Despite signing a supposedly binding commitment to refrain from collecting student data without parental consent beyond that needed for school purposes, Google openly harvests student search and browsing behavior, and uses that data for its own purposes. We filed a formal complaint with the FTC more than two years ago but have heard nothing back.
- There is a consistent lack of transparency in ed tech privacy policies and practices. Schools issue devices to students without their parents’ knowledge and consent. Parents are kept in the dark about what apps their kids are required to use and what data is being collected.
- The investigative burden too often falls on students and parents. With no notice or help from schools, the investigative burden falls on parents and even students to understand the privacy implications of the technology students are using.
- Data use concerns are unresolved. Parents have extensive concerns about student data collection, retention, and sharing. Many ed tech products and services have weak privacy policies. For instance, it took the lawyers at EFF months to get a clear picture of which privacy policies even applied to Google’s student offerings, much less how they interacted.
- Lack of choice in ed tech is the norm. Parents who seek to opt their children out of device or software use face many hurdles, particularly those without the resources to provide their own alternatives. Some districts have even threatened to penalize students whose parents refuse to consent to what they believe are egregious ed tech privacy policies and practices.
- Overreliance on “privacy by policy.” School districts generally rely on the privacy policies of ed tech companies to ensure student data protection. Parents and students, on the other hand, want concrete evidence that student data is protected in practice as well as in policy.
- There is an unfilled need for better privacy training and education. Both students and teachers want better training in privacy-conscious technology use. Ed tech providers aren’t fulfilling their obligations to schools when they fail to provide even rudimentary privacy training.
- Ed tech vendors treat existing privacy law as if it doesn’t apply to them. Because the Family Educational Rights and Privacy Act (“FERPA”) generally prohibits school districts from sharing student information with third parties without written parental consent, districts often characterize ed tech companies as “school officials.” However, districts may only do so if—among other things—providers give districts or schools direct control over all student data and refrain from using that data for any other purpose. Despite the fact that current ed tech offerings generally fail those criteria, vendors generally don’t even attempt to obtain parental consent.
We believe it is incumbent upon school districts to fully understand the data and privacy policies and practices of the ed tech products and services they wish to use, demand that ed tech vendors assent to contract terms that are favorable to the school districts and actually protect student privacy, and be ready not to do business with a company who does not engage in robust privacy practices.
While we understand that school budgets are often tight and that technology can actually enhance the learning experience, we urge regulators, school districts, and the ed tech companies themselves to make student privacy a priority. We hope the FTC and DOE listen to what we, and countless concerned students, parents, and teachers, have to say.